Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Firewall & ICQ

Posted on 1998-04-07
4
Medium Priority
?
510 Views
Last Modified: 2013-12-23
Bastion host: FreeBSD & firewall(ipfw)
Q: How describe ICQ-ports in ipfw config for internet (w/external world) chat without ICQ server on bastion)
0
Comment
Question by:korzadze
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 1

Expert Comment

by:mzito
ID: 1583235
On the client side, in ICQ, go into the Connections tab in the Preferences folder and select "Permanent LAN" and "I'm behind a proxy server/firewall." Then click on "Firewall Settings" and set ICQ to use a range of tcp ports (you set them, but it should be no fewer than 11 ports, like 3600 to 3610). Finally, reconnect to the ICQ network to apply the new settings.

Then, using ipfw, poke a hole in the firewall for that given range of tcp ports.  I haven't used ipfw in a while, so I can't remember the exact syntax, but check the man pages for the forwarding syntax.

One more thing: you have to set up each client with a separate range of tcp ports  (i.e. Client #1 has ports 3600-3615, client #2 has ports 3616-3631, etc.). Then just poke the hole in the firewall for the whole range of ports.  Hope this answers your question.

Best Wishes,
Matthew Zito
0
 

Author Comment

by:korzadze
ID: 1583236
Sorry, but i don't know how describe establish connect for ICQ in terms ipwf, ie. establish, setup ... and protocols TCP, UDP or so. (novice in deal with Unix :-( )

From man on ipfw:
         established       Matches packets that have the RST or ACK bits set.
                                    TCP packets only.
         setup                 Matches packets that have the SYN bit set but no
                                    ACK bit.  TCP packets only.
0
 
LVL 1

Accepted Solution

by:
mzito earned 400 total points
ID: 1583237
Oh, okay.  That's easy enough.  The simplest solution to your question is to not specify established or setup connections.  Here's the command line for what you're looking for  (I dragged out my old FreeBSD handbook):

       ipfw add allow ip from any to AAA.BBB.CCC.0/24 DDDD-EEEE
 
Where AAA.BBB.CCC.0/24 is your class C network
DDDD is the start port that you put into ICQ
EEEE is the final port you put into ICQ
The DDDD-EEEE port range should ideally be for all clients. (i.e. in the aforementioned example if Client #1 has 3000-3020, client #2 has 3021-3040, and client #3 has  3041-3060, your DDDD-EEEE would be 3000-3060.) That way, it's only one rule set  your kernel has to match against. The other w ay would be to add an entry for each client.  That syntax would be as follows:

ipfwadm add allow ip from any to AAA.BBB.CCC.FFF/32 DDDD-EEEE
In this case, AAA.BBB.CCC.FFF is a single ip address, which is why it is suffixed with /32.  I would reccommend a single rule, though, matching all clients.  That way, the kernel will only match the one rule instead of one rule for each client.  Hope this answered your question more thoroughly
0
 

Expert Comment

by:mseiden
ID: 1583238
icq has both a proprietary protocol and proprietary code you
run on your desktop.  that protocol can be manipulated to install a back door on your machine.  for one example, see http://members.tripod.com/~hakz/ICQ/index.html, which claims
one such back door has been written capable of executing arbitrary commands on your desktop machine.

there have been a number of data-driven attacks on icq posted to various bug reporting lists.  i recommend to my clients that
icq not be allowed through firewalls until the protocol is
published and proxies are written that can handle it.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Make the most of your online learning experience.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question